Closed
Bug 1572904
Opened 6 years ago
Closed 6 years ago
crash near null in [@ mozilla::dom::SVGElement::FlushAnimations]
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla70
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | wontfix |
firefox70 | --- | fixed |
People
(Reporter: tsmith, Assigned: longsonr)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files, 1 obsolete file)
Reduced with m-c:
BuildID=20190809095611
SourceStamp=36c3240e5cafd7b57146bab3b177bfa47f42bcfa
The attached test case requires a fuzzing build with the "fuzzing.enabled=true" pref set.
==125952==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f13e531e11f bp 0x7ffd48d5d870 sp 0x7ffd48d5d860 T0)
==125952==The signal is caused by a READ memory access.
==125952==Hint: address points to the zero page.
#0 0x7f13e531e11e in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1505:12
#1 0x7f13e531e11e in IsInComposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:630
#2 0x7f13e531e11e in GetComposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:640
#3 0x7f13e531e11e in mozilla::dom::SVGElement::FlushAnimations() /builds/worker/workspace/build/src/dom/svg/SVGElement.cpp:2367
#4 0x7f13e539ee0d in mozilla::dom::SVGRect::X() /builds/worker/workspace/build/src/dom/svg/SVGRect.cpp:50:55
#5 0x7f13e2270d51 in mozilla::dom::SVGRect_Binding::get_x(JSContext*, JS::Handle<JSObject*>, mozilla::dom::SVGRect*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/SVGRectBinding.cpp:32:37
#6 0x7f13e37506e4 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3059:13
#7 0x7f13ea2c3627 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
#8 0x7f13ea2c3627 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539
#9 0x7f13ea2c8f50 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
#10 0x7f13ea2c8f50 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610
#11 0x7f13ea2c8f50 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:734
#12 0x7f13ea7ce3bf in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2269:12
#13 0x7f13ea7ce3bf in GetExistingProperty<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2321
#14 0x7f13ea7ce3bf in NativeGetPropertyInline<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2570
#15 0x7f13ea7ce3bf in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2607
#16 0x7f13ea2d136d in GetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:117:10
#17 0x7f13ea2d136d in GetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:124
#18 0x7f13ea2d136d in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4512
#19 0x7f13ea2ac6c8 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:217:10
#20 0x7f13ea2ac6c8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2770
#21 0x7f13ea28db4f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
#22 0x7f13ea2c412f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:567:13
#23 0x7f13ea2c6352 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610:8
#24 0x7f13eadd0bf8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2659:10
#25 0x7f13e2fb7854 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
#26 0x7f13e3f1ef31 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#27 0x7f13e3f1ef31 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
#28 0x7f13e3ee351c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1031:22
#29 0x7f13e3ee4f60 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1223:17
#30 0x7f13e3ecbbaa in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#31 0x7f13e3ecbbaa in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
#32 0x7f13e3eca3c2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#33 0x7f13e3ecfd8b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
#34 0x7f13df9b6e54 in nsHtml5SVGLoadDispatcher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5SVGLoadDispatcher.cpp:30:3
#35 0x7f13dcddd111 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#36 0x7f13dce0f060 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
#37 0x7f13dce15478 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#38 0x7f13de01e1bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#39 0x7f13ddf1b6e2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#40 0x7f13ddf1b6e2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#41 0x7f13ddf1b6e2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#42 0x7f13e6118d09 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#43 0x7f13ea00b53f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#44 0x7f13ddf1b6e2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#45 0x7f13ddf1b6e2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#46 0x7f13ddf1b6e2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#47 0x7f13ea00ade6 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
#48 0x55bd912cef13 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#49 0x55bd912cef13 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
Flags: in-testsuite?
Comment 1•6 years ago
|
||
Looks like this may have been a regression from bug 1551030.
Seems like script can keep a reference to a cycle-collected SVGRect (so that mParent is null)... That looks bad.
Robert, any ideas?
Flags: needinfo?(longsonr)
Regressed by: 1551030
Assignee | ||
Comment 2•6 years ago
|
||
No idea. Feel free to back out that patch.
Flags: needinfo?(longsonr)
Assignee | ||
Comment 3•6 years ago
|
||
Comment 4•6 years ago
|
||
No need to backout, this should be reproducible and thus fixable. I'm happy to backout as a last resort though.
Flags: needinfo?(emilio)
Assignee | ||
Comment 5•6 years ago
|
||
Updated•6 years ago
|
Keywords: regression
Assignee | ||
Comment 7•6 years ago
|
||
Updated•6 years ago
|
Attachment #9085824 -
Attachment is obsolete: true
Assignee | ||
Comment 8•6 years ago
|
||
Pushed by longsonr@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/61a21b2c9e6e
refactor cycle collection code after DOMSVGAngle r=emilio
Comment 10•6 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Updated•6 years ago
|
Assignee: nobody → longsonr
Updated•6 years ago
|
Crash Signature: [@ mozilla::dom::SVGElement::FlushAnimations]
status-firefox68:
--- → unaffected
status-firefox69:
--- → affected
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
Updated•6 years ago
|
Updated•4 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•